From a3991400bc2730d3b0400ad16753a7bfbb28565d Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Thu, 12 Jun 2014 13:33:19 -0700
Subject: [PATCH] Switch to Crypto from DataProtection

---
 src/Microsoft.AspNet.Identity/Crypto.cs    | 23 ++++++++++++++--------
 src/Microsoft.AspNet.Identity/project.json |  3 +--
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/src/Microsoft.AspNet.Identity/Crypto.cs b/src/Microsoft.AspNet.Identity/Crypto.cs
index 0ba19daa3d..0e8421378d 100644
--- a/src/Microsoft.AspNet.Identity/Crypto.cs
+++ b/src/Microsoft.AspNet.Identity/Crypto.cs
@@ -3,8 +3,7 @@
 
 using System;
 using System.Runtime.CompilerServices;
-using System.Text;
-using Microsoft.AspNet.Security.DataProtection;
+using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.Identity
 {
@@ -32,10 +31,14 @@ namespace Microsoft.AspNet.Identity
             }
 
             // Produce a version 0 (see comment above) text hash.
-            var salt = new byte[SaltSize];
-            CryptRand.FillBuffer(new ArraySegment<byte>(salt));
-            var passwordBytes = Encoding.UTF8.GetBytes(password);
-            var subkey = PBKDF2.DeriveKey("SHA1", passwordBytes, salt, Pbkdf2IterCount, Pbkdf2SubkeyLength);
+            byte[] salt;
+            byte[] subkey;
+            using (var deriveBytes = new Rfc2898DeriveBytes(password, SaltSize, Pbkdf2IterCount))
+            {
+                salt = deriveBytes.Salt;
+                subkey = deriveBytes.GetBytes(Pbkdf2SubkeyLength);
+            }
+
             var outputBytes = new byte[1 + SaltSize + Pbkdf2SubkeyLength];
             Buffer.BlockCopy(salt, 0, outputBytes, 1, SaltSize);
             Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SaltSize, Pbkdf2SubkeyLength);
@@ -65,8 +68,12 @@ namespace Microsoft.AspNet.Identity
             Buffer.BlockCopy(hashedPasswordBytes, 1, salt, 0, SaltSize);
             var storedSubkey = new byte[Pbkdf2SubkeyLength];
             Buffer.BlockCopy(hashedPasswordBytes, 1 + SaltSize, storedSubkey, 0, Pbkdf2SubkeyLength);
-            var passwordBytes = Encoding.UTF8.GetBytes(password);
-            var generatedSubkey = PBKDF2.DeriveKey("SHA1", passwordBytes, salt, Pbkdf2IterCount, Pbkdf2SubkeyLength);
+
+            byte[] generatedSubkey;
+            using (var deriveBytes = new Rfc2898DeriveBytes(password, salt, Pbkdf2IterCount))
+            {
+                generatedSubkey = deriveBytes.GetBytes(Pbkdf2SubkeyLength);
+            }
             return ByteArraysEqual(storedSubkey, generatedSubkey);
         }
 
diff --git a/src/Microsoft.AspNet.Identity/project.json b/src/Microsoft.AspNet.Identity/project.json
index e79cab620a..ba73fdea11 100644
--- a/src/Microsoft.AspNet.Identity/project.json
+++ b/src/Microsoft.AspNet.Identity/project.json
@@ -1,8 +1,6 @@
 {
   "version": "0.1-alpha-*",
   "dependencies": {
-    "Microsoft.AspNet.HttpFeature" : "0.1-alpha-*",
-    "Microsoft.AspNet.Security.DataProtection" : "0.1-alpha-*",
     "Microsoft.Framework.ConfigurationModel": "0.1-alpha-*",
     "Microsoft.Framework.DependencyInjection" : "0.1-alpha-*",
     "Microsoft.Framework.OptionsModel": "0.1-alpha-*",
@@ -26,6 +24,7 @@
         "System.Runtime": "4.0.20.0",
         "System.Runtime.Extensions": "4.0.10.0",
         "System.Security.Principal": "4.0.0.0",
+        "System.Security.Cryptography.DeriveBytes": "4.0.0.0",
         "System.Text.Encoding": "4.0.20.0",
         "System.Threading.Tasks": "4.0.10.0"
       }